[148626] in cryptography@c2.net mail archive
Re: [Cryptography] Fwd: [IP] RSA Response to Media Claims Regarding
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Mon Dec 23 10:36:41 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <CAOLP8p5F0cxLtbymp83MmwJwatVaDyMhWeFTP1UF2RSffZXAKw@mail.gmail.com>
Date: Mon, 23 Dec 2013 07:40:55 -0500
To: Bill Cox <waywardgeek@gmail.com>
Cc: Cryptography List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============6793759232166346901==
Content-Type: multipart/alternative; boundary="Apple-Mail=_2DCC86CC-A7CF-4345-8720-F74466DCBF5E"
--Apple-Mail=_2DCC86CC-A7CF-4345-8720-F74466DCBF5E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Dec 23, 2013, at 12:08 AM, Bill Cox wrote:
> Does this mean RSA denies accepting $10M for making the NSA RNG the =
default in BSAFE? You did not say so in your post. So now RSA =
"categorically denies" entering into a secret contract with the NSA. If =
it wasn't secret, why didn't I hear about it? I'm pretty sure it would =
have made the geek news, and I may not be a crypto expert, but I follow =
geek news (slashdot would have burned RSA alive).
Oh, for God's sake, let it go.
We're talking about 2004. Were you following the news about RSA in =
2004? In enough detail to have spotted one press blurb out of many? =
Would you remember one blurb from 10 years ago?
I'm not sure about the exact timing, but EMC - RSA's parent - acquired =
the company I was working at in 2004 (SMARTS). I would have had a =
particular interest in EMC-related stories - and, given a long-standing =
interest in crypto, in EMC and RSA related stories. I have no memory of =
PR around any such contract. Doesn't mean it didn't happen, but the =
fact that neither of us remember it means precisely nothing.
In any case, we have one story from one source asserting, in very =
general terms, that some kind of contract existed. No one else has =
confirmed it.
I'm actually willing to believe that the NSA would have done this, but I =
doubt it would have been done in the way you seem to think. All it =
would take is for any government agency to come to RSA and say "Hey, we =
have $10M in our budget to buy security stuff this year. Our security =
experts tell use your stuff is the best." And then later: "Our =
security guys say we really need to have that Dual EC RNG thingie. It's =
going to be in the new NIST standard, you know. Oh, you guys already =
implemented it? Great!" [NSA seems to have tipped RSA off that Dual EC =
DRNG was coming; RSA would have been all too happy to get out ahead of =
the curve, no pun intended. No big deal, it wasn't really a secret, and =
NSA may well have given the same "heads up" to the few other commercial =
crypto vendors as well.] And then finally, when RSA can just *feel* =
that money filling a big hole in a sales target: "Oh, our security guys =
tell use the new RNG needs to be the default. Safer that way." And the =
trivial change is made.
Of course, the government agency's "security guys" either are the NSA, =
or are being advised by the NSA. That's one of NSA's roles: They =
advise the rest of the government on cryptography. No one would anyone =
question them doing their job.
Requirements for specific approved algorithms, and specific default =
configurations, are standard practice in government contracts; if you =
want to sell to the USG, you sell on their terms.
The indirect approach would have been easy for NSA to pull off, would =
have come out of someone else's budget (sure, it's only $10M, but any =
bureaucrat who can find a way to get *someone else* to spend it so that =
he can keep it for his own projects will be delighted) and would leave =
no NSA fingerprints. Even the NSA guys advising the other parts of the =
government probably wouldn't know *why* Dual EC DRNG was now on the =
"recommended" list - someone else would maintain the list. No one =
outside of NSA would have to know anything about NSA interests, goals, =
and methods - something NSA would find much more desirable than letting =
their interest be known and then have to buy silence.
I'll believe NSA pulled RSA into a conspiracy when I see *much* stronger =
evidence than we've seen so far.
But there will be plenty of people of the "where there's smoke there's =
fire" persuasion, who will now avoid RSA. NSA has managed to badly =
damage the reputation of RSA. (Well, considering their fiasco with RSA =
access tokens not so long ago, maybe their reputation was already =
tarnished.) I'm guessing we'll see more stories and rumors in the =
future - now that "everyone knows" RSA was infiltrated by NSA, should we =
trust any EMC product? After all, RSA is EMC's "security division" - =
they advise the rest of the company.=20
This is the collateral damage that flows from the kinds of games NSA has =
been playing. There will be more.
(BTW, I've been out of EMC for many years now. Only ended up there =
through an acquisition; never liked the place, would have no reason to =
defend them.)
-- Jerry
PS The stuff about RSA advising the rest of EMC about security is =
true. The SMARTS stuff had its own crypto - I and guys working for me =
developed it. We initially looked at available crypto code - BSAFE was =
one thing we looked at - but it was either too expensive, or came with =
open source licensing terms we couldn't live with. After the =
acquisition we kept hearing complaints from RSA security guys that we =
should be using the approved corporate stuff. As long as I stayed in =
charge of that software, I resisted - we had better things to do than to =
re-architect our security code - but I hear that, long after I left, all =
the stuff we developed was ripped out and replaced. I won't make any =
strong claims about our stuff - it could have been attacked, though =
you'd have to know what you were doing - but for various reasons we =
didn't represent a particularly high value target. It was probably good =
enough for the role it played, and I remain proud of the way we managed =
to slip a fairly good level of security in a backwards-compatible into =
an existing product, selling to customers who, for the most part, didn't =
think security was important and didn't want it "getting in their way".
--Apple-Mail=_2DCC86CC-A7CF-4345-8720-F74466DCBF5E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><div>On Dec 23, 2013, at 12:08 AM, Bill Cox wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
dir=3D"ltr"><div class=3D"gmail_extra"><span =
style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">Does=
this mean RSA denies accepting $10M for making the NSA RNG the default =
in BSAFE? You did not say so in your post. So now RSA =
"</span><span =
style=3D"font-family:arial,sans-serif;font-size:19.200000762939453px">cate=
gorically denies" entering into a secret contract with the NSA. If =
it wasn't secret, why didn't I hear about it? I'm pretty sure it =
would have made the geek news, and I may not be a crypto expert, but I =
follow geek news (slashdot would have burned RSA =
alive).</span></div></div></blockquote>Oh, for God's sake, let it =
go.</div><div><br></div><div>We're talking about 2004. Were you =
following the news about RSA in 2004? In enough detail to have =
spotted one press blurb out of many? Would you remember one blurb =
from 10 years ago?</div><div><br></div><div>I'm not sure about the exact =
timing, but EMC - RSA's parent - acquired the company I was working at =
in 2004 (SMARTS). I would have had a particular interest in =
EMC-related stories - and, given a long-standing interest in crypto, in =
EMC and RSA related stories. I have no memory of PR around any =
such contract. Doesn't mean it didn't happen, but the fact that =
neither of us remember it means precisely =
nothing.</div><div><br></div><div>In any case, we have one story from =
one source asserting, in very general terms, that some kind of contract =
existed. No one else has confirmed =
it.</div><div><br></div><div>I'm actually willing to believe that the =
NSA would have done this, but I doubt it would have been done in the way =
you seem to think. All it would take is for any government agency =
to come to RSA and say "Hey, we have $10M in our budget to buy security =
stuff this year. Our security experts tell use your stuff is the =
best." And then later: "Our security guys say we really need =
to have that Dual EC RNG thingie. It's going to be in the new NIST =
standard, you know. Oh, you guys already implemented it? =
Great!" [NSA seems to have tipped RSA off that Dual EC DRNG =
was coming; RSA would have been all too happy to get out ahead of the =
curve, no pun intended. No big deal, it wasn't really a secret, =
and NSA may well have given the same "heads up" to the few other =
commercial crypto vendors as well.] And then finally, when RSA can =
just *feel* that money filling a big hole in a sales target: "Oh, =
our security guys tell use the new RNG needs to be the default. =
Safer that way." And the trivial change is =
made.</div><div><br></div><div>Of course, the government agency's =
"security guys" either are the NSA, or are being advised by the NSA. =
That's one of NSA's roles: They advise the rest of the =
government on cryptography. No one would anyone question them =
doing their job.</div><div><br></div><div>Requirements for specific =
approved algorithms, and specific default configurations, are standard =
practice in government contracts; if you want to sell to the USG, you =
sell on their terms.</div><div><br></div><div>The indirect approach =
would have been easy for NSA to pull off, would have come out of someone =
else's budget (sure, it's only $10M, but any bureaucrat who can find a =
way to get *someone else* to spend it so that he can keep it for his own =
projects will be delighted) and would leave no NSA fingerprints. Even =
the NSA guys advising the other parts of the government probably =
wouldn't know *why* Dual EC DRNG was now on the "recommended" list - =
someone else would maintain the list. No one outside of NSA would =
have to know anything about NSA interests, goals, and methods - =
something NSA would find much more desirable than letting their interest =
be known and then have to buy silence.</div><div><br></div><div>I'll =
believe NSA pulled RSA into a conspiracy when I see *much* stronger =
evidence than we've seen so far.</div><div><br></div><div>But there will =
be plenty of people of the "where there's smoke there's fire" =
persuasion, who will now avoid RSA. NSA has managed to badly =
damage the reputation of RSA. (Well, considering their fiasco with =
RSA access tokens not so long ago, maybe their reputation was already =
tarnished.) I'm guessing we'll see more stories and rumors in the =
future - now that "everyone knows" RSA was infiltrated by NSA, should we =
trust any EMC product? After all, RSA is EMC's "security division" =
- they advise the rest of the =
company. </div><div><br></div><div>This is the collateral damage =
that flows from the kinds of games NSA has been playing. There =
will be more.</div><div><br></div><div>(BTW, I've been out of EMC for =
many years now. Only ended up there through an acquisition; never =
liked the place, would have no reason to defend =
them.)</div><div><br></div><div><div> =
=
=
-- Jerry</div><div><br></div><div>PS =
The stuff about RSA advising the rest of EMC about security =
is true. The SMARTS stuff had its own crypto - I and guys working =
for me developed it. We initially looked at available crypto code =
- BSAFE was one thing we looked at - but it was either too expensive, or =
came with open source licensing terms we couldn't live with. After =
the acquisition we kept hearing complaints from RSA security guys that =
we should be using the approved corporate stuff. As long as I =
stayed in charge of that software, I resisted - we had better things to =
do than to re-architect our security code - but I hear that, long after =
I left, all the stuff we developed was ripped out and replaced. I =
won't make any strong claims about our stuff - it could have been =
attacked, though you'd have to know what you were doing - but for =
various reasons we didn't represent a particularly high value target. =
It was probably good enough for the role it played, and I remain =
proud of the way we managed to slip a fairly good level of security in a =
backwards-compatible into an existing product, selling to customers who, =
for the most part, didn't think security was important and didn't want =
it "getting in their way".</div><div><br></div></div></body></html>=
--Apple-Mail=_2DCC86CC-A7CF-4345-8720-F74466DCBF5E--
--===============6793759232166346901==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6793759232166346901==--
